Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.
Over the course of May, Imperva identified 3,450 requests that manipulated PHP SuperGlobal variables targeting 24 web applications. These requests were generated by 27 different source IP addresses and appeared in the form of request burst floods with peaks of more than 20 hits per minute on a single application.
The source of one such attack examined by the company was traced to an Italian host server targeting two different applications. The host server did not have a malicious reputation, and in fact belonged to an Italian bank.
The firm also said it observed SuperGlobal variable manipulation occurring as part of large vulnerability scans performed by tools such as Nikto, Nessus and Acunetix. This demonstrates that SuperGlobal manipulation has become common practice integrated into security and hacking tool routines, Imperva observed.
The report also documents an attack on a vulnerable version of the PhpMyAdmin (PMA) utility.
“This utility is often bundled with other applications using the popular MySQL Database,” the report notes. “Having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. One way to achieve such an ‘opt out’ security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.”
“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva, in a statement. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”
According to Imperva, organizations can mitigate these attacks by adopting a “positive security model” that specifies the allowed parameter names for each resource, thereby preventing an attacker from sending out external parameters with the same name of internal variables and overriding the internal variables’ value. In addition, SuperGlobal parameters in requests should be blocked.
“Since there is no reason for these parameters to be present in requests, they should be banned,” the firm advised.
A copy of the report, part of Imperva’s Hacker Intelligence Initiative, is available here.
